1. Field of the Invention
The present invention relates to systems and methods for improving intrusion detection capabilities of an Intrusion Detection System (IDS) associated with a network system. More particularly, the present invention relates to a system and related method for rapid, dynamic deployment of intrusion detection signatures and capabilities to devices of the network system infrastructure having IDS function capability or limited IDS function capability.
2. Description of the Prior Art
Computing systems are useful tools for the exchange of information among individuals. The information may include, but is not limited to, data, voice, graphics, and video. The exchange is established through interconnections linking the computing systems together in a way that permits the transfer of electronic signals that represent the information. The interconnections may be either cable or wireless. Cable connections include, for example, metal and optical fiber elements. Wireless connections include, for example infrared, acoustic, and radio wave transmissions.
Interconnected computing systems having some sort of commonality are represented as a network. A network permits communication or signal exchange among the various computing systems of a common group in some selectable way. The interconnection of those computing systems, as well as the devices that regulate and facilitate the exchange among the systems, represent a network. Further, networks may be interconnected together to establish internetworks. For purposes of the description of the present invention, the devices and functions that establish the interconnection represent the network infrastructure. The users, computing devices and the like that use that network infrastructure to communicate are referred to herein as attached functions and will be further defined. The combination of the attached functions and the network infrastructure will be referred to as a network system.
Presently, access to applications, files, databases, programs, and other capabilities associated with the entirety of a discrete network is restricted primarily based on the identity of the user and/or the network attached function. For the purpose of the description of the present invention, a “user” is a human being who interfaces via a computing device with the services associated with a network. For further purposes of clarity, a “network attached function” or an “attached function” may be a user connected to the network through a computing device and a network interface device, an attached device connected to the network, a function using the services of or providing services to the network, or an application associated with an attached device. Upon authentication of the offered attached function identity, that attached function may access network services at the level permitted for that identification. For purposes of the present description, “network services” include, but are not limited to, access, Quality of Service (QoS), bandwidth, priority, computer programs, applications, databases, files, and network and server control systems that attached functions may use or manipulate for the purpose of conducting the business of the enterprise employing the network as an enterprise asset. The basis upon which the network administrator grants particular permissions to particular attached functions in combination with the permissions is an established network usage policy.
Events and activities do occur that may be harmful to the network system. For purposes of this description, harm to the network system includes, for example, denying access to the network, denying access to the service once permitted access to the network, intentionally tying up network computing resources, intentionally forcing bandwidth availability reduction, and restricting, denying or modifying network-related information. There are currently two generally available forms of network protection designed to minimize such types of network harm: firewalls and IDSs. Firewalls monitor, analyze and enforce all in one, and are designed to prevent the passage of packets to the network based on certain limited specific conditions associated with the packets. Firewalls do not permit packet passage for the purpose of further analysis nor do they enable assigned policy modifications.
IDSs only monitor traffic. They do not analyze nor do they enforce. They are generally more effective at monitoring/detecting potentially harmful traffic than are firewalls. They are designed to observe the packets, the state of the packets, and patterns of usage of the packets entering or within the network infrastructure for harmful behavior. For the most part, existing IDSs, whether network-based (NIDS), host-based (HIDS) or a combination of the two (NIDS/HIDS), report possible intrusions to a centralized application for further analysis. That is, all detected potentially harmful occurrences are transferred to a central processing function for analysis and, if applicable, alarm reporting. The detection functionality may reside in one or more appliances associated with one or more network entry devices. Each appliance provides its own report to the central processing function with respect only to those packets passing through it. The central processing function then conducts the analysis and the alarm reporting. Network administrators often restrict the intrusion detection functionality to certain parts or entry ports of the network system rather than to the entirety of the system. That is, for example, all packets entering a network infrastructure from an attached function may be forced to enter through one or more select entry functions. Those functions may be specific devices and/or specific ports of one or more devices.
Upon receipt of an alarm, the network administrator can either do nothing, or implement a response function through adjustment of the operation of one or more network infrastructure devices. The implementation of a response function may take a relatively significant amount of time, with the response delay, or latency, potentially allowing greater harm to, or at least reduced effectiveness of, the network system prior to the implementation of a function to address the triggering activity or event. Further, the entry functions are chosen for throughput capacity, but generally do not have the monitoring capability on all ports, particularly given the intensive processing capacity generally required for packet analysis. That restricted deployment forces the network administrator to balance network security with full use of the network infrastructure capacity.
The IDS operates by monitoring network signal traffic for deviations from normal expected activities. Deviations are identified by comparing monitored traffic with known acceptable traffic patterns. At the most detailed level, the monitoring involves examining each bit of traffic and evaluating strings of bits for patterns. At an intermediate level, signal exchange formats, or packaging protocols are examined for deviations from known expected protocol formats. At the highest level and minimal detail, anomalies in overall traffic patterns are monitored, such as substantial changes in activity at a particular port of a particular network infrastructure device. The present invention is directed to the most granular level of evaluation, that of pattern matching.
Pattern matching involves provisioning on one or more network infrastructure devices with known “signatures” of potentially harmful packets or sets of packets. For the purpose of this invention, a signature is a known pattern of bits representative of a message, file, or program designed to establish unauthorized access to network services or to modify the configuration of one or more network infrastructure devices or other harmful network activity. The signature may be generated by an attached function or by a device forming part of the network infrastructure or sets of each or both. Algorithms are used to compare signal patterns with known signatures. If a match is identified, the network administrator is notified with information about the detected signature event. Upon receipt of notification, the network administrator may do nothing or manually adjust the state of the entire network infrastructure or a particular network infrastructure device in response to the detected signature.
The process of examining packets bit by bit to detect known harmful signatures provides the most effective network security in most instances, but it can also slow the network's operation. One way to balance network efficiency and network security involves moving away from a purely centralized signature analysis function to a distributed model of IDS functionality. Specifically, one or more network entry or distribution devices located at or near the edge of the network infrastructure may be provisioned with a portion of the total number of known IDS signatures, while one or more network infrastructure devices closer to the core of the network may include all or a larger portion of the total number of known signatures. In that way, a provisioned network entry device may be able to detect a known signature more quickly for reporting to the network administrator.
Signal patterns that the network entry device does not detect in the pattern matching evaluation are, in theory, picked up by other devices having larger signature sets for match evaluation. Unfortunately, the number of known harmful signature patterns changes almost daily and it is difficult to add them to the network entry devices without compromising the primary function of such devices—to pass packets as accurately and as quickly as possible. On the other hand, the IDS may be less effective as isolated network entry devices may be targeted with harmful signatures they cannot detect and an effective attack on the entire network system may materialize before the centralized pattern matching function fully recognizes the signature(s) involved.
Therefore, what is needed is an improved IDS with an effective mechanism for provisioning network infrastructure devices with known attack signatures as quickly as possible with minimal detrimental impact on the primary operation of those devices. Further, what is needed is an improved IDS with an effective mechanism for detecting potentially harmful attacks without requiring substantial introduction of intrusion detection appliances layered on the network infrastructure devices designed to transfer signals. Yet further, what is needed is such an improved IDS that may be configured to respond quickly and effectively to known and new intrusion signatures without a complete and substantial adjustment to existing network infrastructure devices.